In 2001, a pair of Italian programmers wrote a program called Ettercap, a "comprehensive suite for man-in-the-middle attacks" — in other words, a set of tools for eavesdropping, sniffing passwords, and remotely manipulating someone’s computer. Ettercap was free, open source, and quickly became the weapon of choice for analysts testing the security of their networks as well as hackers who wanted to spy on people. One user called it "sort of the Swiss army knife" of this type of hacking.
Ettercap was so powerful that its authors, ALoR and NaGA, eventually got a call from the Milan police department. But the cops didn’t want to bust the programmers for enabling hacker attacks. They wanted to use Ettercap to spy on citizens. Specifically, they wanted ALoR and NaGA to write a Windows driver that would enable them to listen in to a target’s Skype calls.
That’s how a small tech security consultancy ended up transforming into one of the first sellers of commercial hacking software to the police. ALoR’s real name is Alberto Ornaghi and NaGA is Marco Valleri. Their Milan-based company, Hacking Team, now has 40 employees and sells commercial hacking software to law enforcement in "several dozen countries" on "six continents."
Hacking Team’s flagship product enables police to collect heaps more data than the National Security Agency
Today, Hacking Team’s flagship product, Da Vinci, enables law enforcement at federal, state, or local levels to collect heaps more data than the National Security Agency’s controversial PRISM program is reportedly capable of gathering. With Da Vinci, the police can monitor a suspect’s cell phone conversations, emails, and Skype calls, and even spy on the target through his or her webcam and microphone. It’s as if the investigator were standing behind a suspect using their computer.
Hackers have written rootkits and backdoors for decades. But the development of commercial hacking software — complete with custom features, regular updates, and tech support — is fairly new.
"You’re actually getting a commercially developed product," says Morgan Marquis-Boire, a security researcher who has authored reports on Hacking Team and the market for state-sponsored hacking tools for University of Toronto’s Citizen Lab. "That’s actually what makes it different from the sort of backdoors that hackers were using sort of for the lulz, like 18 years ago when I was opening my flatmate’s CD-ROM drive to freak him out."
Companies like Hacking Team, Gamma International, and VUPEN are now developing this software and pitching it to government agencies around the world. And instead of opening people’s CD-ROMS, these clients are spying on citizens.
Hacking Team says it only sells to law enforcement and intelligence agencies and will not sell to countries that are blacklisted by NATO. Critics say the software has ended up in rogue hands, resulting in the near-hacking of one American citizen, the beating of a UAE activist, and the surveillance of pro-democracy Moroccan journalists, incidents the company has obliquely denied, citing client confidentiality and calling the claims "largely circumstantial."
But governments hacking their own citizens is new legal ground in many nations, including the US, where it was recently revealed that the FBI is building its own hacking tools. US precedent is not totally clear, but continuing surveillance through a suspect’s computer would likely require investigators to meet the same standards required for a wiretap and get approval from a judge.
There is no evidence that Hacking Team’s software is being used in the US, but the company opened an office in Annapolis in 2011, hired a US spokesman in 2012, and shows up at exclusive conferences aimed at American law enforcement agencies. A recent WikiLeaks release purported to show a Hacking Team salesman making trips to the US at least three times in 2012 and 2013, and members of the security community say the company seems to have a growing presence here.
"If they haven’t sold anything in the US yet, it’s not because they haven’t been trying really hard," says Christopher Soghoian, senior policy analyst for the American Civil Liberties Union.
A tool like Da Vinci could be attractive to large US police departments, for example, especially considering the emphasis on counterterrorism in state police departments and large metropolitan areas like New York City.
"If they haven’t sold anything in the US yet, it’s not because they haven’t been trying really hard."
Da Vinci costs "hundreds of thousands of dollars" and is customized for each client, says Eric Rabe, Hacking Team’s senior counsel and US spokesman. That puts the program out of the reach of many smaller departments, although the Department of Homeland Security has given grants to police departments to purchase surveillance technology for use against terrorists.
Rabe declined to say whether Hacking Team has any American clients or is ramping up in the US. "There are people out there doing bad things, and they’re using the internet and communication devices to facilitate their needs," he says. "I think it’s the responsibility of police departments to use any tool they can to investigate those possible threats and stop them if they find them to be credible. I’m kind of astonished that there are people who think police shouldn’t have those capabilities."
The ascent of companies like Hacking Team is "potentially worrisome" because of the potential for abuse by law enforcement, says Kurt Opsahl, a senior staff attorney with the Electronic Frontier Foundation. However, Hacking Team has largely avoided criticism so far. Even though many Americans might balk at the idea of the police being able to monitor every keystroke, that discussion is not happening. As outrage over the NSA’s surveillance capabilities is still being stoked by new revelations from the Snowden files, Hacking Team is slipping in through the backdoor.
Correction: An earlier version of this story erroneously said the activist who was beaten was Moroccan; he is from the UAE. The Verge regrets the error.